[openstack-dev] [keystone] External authentication plugins
We've got to figure out what external authentication plugins we're going to provide in Keystone. This is something that you'd think wouldn't be complicated, but somehow it's gotten that way. Since we've made mistakes in the past, let's try to be careful this time and come up with what plugins are required, and make sure those are implemented. To this end, I've opened a blueprint: https://blueprints.launchpad.net/keystone/+spec/external-auth-plugins What I need is, a) Make sure the background info is correct. It documents the plugin behavior that we've provided in the past and how they work. Keystone must continue to support these for backwards-compatibility. b) Figure out if there are new plugins that we need to provide. For example, we don't have a V3 plugin that works like V2 authentication; we don't have a V3 plugin that works like Grizzly did. Thanks! - Brant ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [keystone] External authentication
Hi all, During the review of [1] I had a look at the tests that are related with external authentication (i.e. the usage of REMOTE_USER) in Keystone and I realised that there is a bunch of them that are setting external as one of the authentication methods. However, in keystone.auth.controllers there is an explicit call to the external methods whenever REMOTE_USER is set [2]. Should we call the external authentication only when external is set (i.e. in [3]) regardless of the REMOTE_USER presence in the context? [1] https://review.openstack.org/#/c/50362/ [2] https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L335 [3] https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L342 -- Álvaro López García al...@ifca.unican.es Instituto de Física de Cantabria http://alvarolopez.github.io Ed. Juan Jordá, Campus UC tel: (+34) 942 200 969 Avda. de los Castros s/n 39005 Santander (SPAIN) _ Unix never says `please.' -- Rob Pike ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] External authentication
On 11/14/2013 10:52 AM, Álvaro López García wrote: Hi all, During the review of [1] I had a look at the tests that are related with external authentication (i.e. the usage of REMOTE_USER) in Keystone and I realised that there is a bunch of them that are setting external as one of the authentication methods. However, in keystone.auth.controllers there is an explicit call to the external methods whenever REMOTE_USER is set [2]. Should we call the external authentication only when external is set (i.e. in [3]) regardless of the REMOTE_USER presence in the context? I'd like to. We made a decision to make the user explicitly enable External authentication in the config, but there is no reason that it would have to extend to the request body itself. In theory we could do token creation request with no Body at all, the same way we do role assignments: To create a project scoped token PUT /auth/tokens/domain/domid/projectprojectid And to create a domain token PUT /auth/tokens/domain/domid Would work very well with Basic-Auth or other External formats. Then the Body would only have to contain any mitigating factors, like a shorter expiry or reduced set of roles. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev